Hunting in the Dark - HTCIA 2015

"Hunting" is a key phase of the incident response lifecycle that aims to identify, on a proactive basis, unknown threats lurking in an environment. In practice, many hunting teams focus on searching for public or purchased IOCs - often representing intelligence that has already been burned. Hunting without specific leads is difficult, and every environment (and incident) has its own unique characteristics.

This presentation will provide analytic techniques that can identify generic evidence of post-compromise activity, with focus on the contemporary approaches that targeted attackers employ for credential harvesting, persistence, and lateral movement in Windows environments. It will illustrate sources of evidence that are ideal for at-scale anomaly analysis, and provide examples of how to effectively collect data and reduce noise.

20.
Example: Duqu 2.0
Copyright 2015 Tanium Inc. All rights reserved.20
“In
addition
to
creating
services
to
infect
other
computers
in
the
LAN,
attackers
can
also
use
the
Task
Scheduler
to
start
‘msiexec.exe’
remotely.
The
usage
of
Task
Scheduler
during
Duqu
infections
for
lateral
movement
was
also
observed
with
the
2011
version...”
Source:
https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyber
espionage_actor_returns.pdf

30.
Blind spot: Task paths
Copyright 2015 Tanium Inc. All rights reserved.30
• TaskName defines the path to the job file
• By default, tasks are placed in
%systemroot%system32tasks
• Attacker with Administrator privileges can create tasks in
%systemroot%system32tasksMicrosoft[…]
• If stacking on TaskName these may be harder to spot!

34.
Revisiting our example: Duqu 2.0
Copyright 2015 Tanium Inc. All rights reserved.34
• How common are tasks with
ActionName=“msiexec.exe”
• Could you have found this proactively, without any leads?
Source:
https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyber
espionage_actor_returns.pdf